Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.
Content...
The U.S. Congress has recently set new requirements (CMMC) for companies with the Department of Defense (DOD). The company must now report any security breach in their networks to the Department of Homeland Security and be CMMC compliant.
That is an interesting move, as we have all heard of the breaches in many big business networks, which result in the theft of the personal information of millions of users. The policy change is because it is much easier to get to the source of the breach as opposed to the compromised information itself.
The DOD has recently had a spate of network security breaches that have compromised the information of individuals but not the data itself.
The recent case of the Department of Justice (DOJ) and the FBI also highlights that the FBI has access to any information stored in the cloud. This is one more reason why it is critical for companies to keep an eye on the security of their networks.
Ready to dive in?
Start Your Free Trial Today
What is the CMMC compliance?
CMMC (Cybersecurity Maturity Model Certification) was first published in 2020; CMMC will slowly be implemented over the coming five years. CMMC will be a core part of all future bidding processes for DoD contracts.
CMMC Compliance Checklist
Access Control
Asset Management
Know what hardware, software, other technologies have access to the system. Create and document processes from daily backups to disposal of old equipment and destruction of stored data
Audit and Accountability
Track, log and timestamp user access, actions and information contact to CUI assets.
Training and Awareness
Cybersecurity training must be included in all levels of training incorporating how the employee interacts with the CUI data within their role.
Configuration Management
Map all devices and systems which uses and process CUI data.
Identification and Authentication
Unique identification of all users, devices, and every process.
Strong user identification process with a minimum complexity of passwords.
Incident Response
Plan of action for incidents, to detect and contain threats to data
Maintenance
Everything needs maintenance. Create a schedule for systems, hardware, and devices maintenance.
Document system updates and patches to software, hardware, and firmware.
Media Protection
Track all media containing sensitive data and manage the destruction.
Personnel Security
Carry out comprehensive background checks during hiring process.
Physical Protection
Restricted access to the building and all servers. Maintain a detailed list of employees with their access areas.
Recovery
System backup schedules and test environments.
Risk Management
Risk management plan. Scan systems and networks for vulnerabilities and risks.
Security Assessment
Security audit to identify new vulnerabilities and emerging threats.
Situational Awareness
Establish processes to identify new risks and threats to the system.
Track external cybersecurity threats
System and Communications Protection
Define network boundaries, especially with the use of cloud-based systems.
Monitor end-point security.
Information and System Integrity
Up-to-date and patched components and software. Schedule regular updates.
CMMC Levels Certification
There are a number of different levels of compliance. Identify data you will need to use within the contract as it can require different types of compliance.
The National Institute of Standards and Technology (NIST) established NIST 800-172 & NIST 800-171 enhanced security requirements for protecting data government data and incorporated them as part of the certificate.
FCI Federal Contract Information – Data not ever intended for general or public release. You will require CMMC 5 levels certification.
CUI Controlled Unclassified Information – Data is sensitive but not classified. You will require CMMC 3 Levels certification.
- CMMC Level 1 – Store federal contact data
- CMMC Level 2 – Basic level security required to store and process CUI
- CMMC Level 3 – Controlled Unclassified Information (CUI)
- CMMC Level 4 –
- CMMC Level 5 (Highest Level) – Storing extremely sensitive or classified data
Frequently asked questions
Looking for more info? Here are some things we're commonly asked
Checklist
Does the running of your business include several repetitive tasks? If there’s no guidance or procedure in place, it’s possible for some of the steps in the process to get forgotten. This is why checklists are important.
People get distracted, and when something gets forgotten, it’s much harder to recover than if they’d completed the task right in the first place.
Guidance every step of the way makes sure something is completed perfectly every time.
Read More: Why is a Checklist Important?
We all carry enormous knowledge and experience that we want to apply effectively, but we are all prone to make mistakes. There’s only so much we can store in our heads without forgetting something. How to maximise our use of knowledge?
The simple answer to this problem is to use checklists.
How many types of checklists are there? Two. What are the two types of checklists? Read-Do and Do-Confirm checklists are about how you use checklists.
Read More: Types of checklist: What are the two most powerful Checklist Types?
A checklist is a way to document each step needed to complete a task. A detailed set of instructions, a guide of how something is done.
Checklist software allows you to document every step of a process to be used over and over again.
Read More: Checklist Software